Penalty for failure to delete data
A Czech private individual had requested a website operator to delete personal data. The right to do so arises from Article 17 of the General Data Protection Regulation. However, the company ignored the data subject’s request and did not delete the data.
Following a complaint to the supervisory authority, proceedings were initiated against the company. As a result, the company was ordered to pay a fine of 10,000 crowns and delete the data.
Conclusion
The rights of data subjects are being used by more and more private individuals to obtain data information or to have data deleted. Already several times there were penalties after the companies ignored the requests. However, due to the low-threshold right of complaint to the data protection authority, the companies concerned must assume that an ignored request will lead to an investigation by the data protection authority.
Especially in large companies, data disclosure is not a question of will, but rather complex due to the various systems. Responding within one month leaves little room for maneuver. Therefore, companies should already deal with the automation of affected party requests in advance.
Entscheidungsdatum:
25.10.2018
Land:
Czech Republic
Art des Verstoßes:
violated rights of the data subject
Betroffene Datensätze:
1
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 400,-
Violation of GDPR Paragraph:
15. Right of access by the data subject
17. Right to erasure (‘right to be forgotten’)
Quelle:
Decision of the Czech data protection authority UOOU (Czech)